Researchers at Atlanta-based security vendor SecureWorks have uncovered a new type of phishing attack that circumvents a bank"s attempt to detect fraud by tricking victims into forwarding their telephone calls to the attacker. The attack begins with an e-mail sent from the phisher telling the potential victim their bank needs to verify their phone number immediately, and their account will be suspended if they do not confirm the number. The victim is told to confirm their number by dialing *72 and then another number, effectively forwarding their calls to the phisher"s telephone.
The victim is then asked in the e-mail to update their personal information, such as bank account and Social Security numbers. If the victim"s bank calls to question an unusual transaction while the calls are being forwarded, the phisher need only confirm the illegal transaction is legitimate. SecureWorks researcher Don Jackson said these types of attacks are currently not widespread, but may become so in the future as more banks use out-of-band authentication to check the validity of suspicious transactions.